[erlang-questions] bcrypt message queues

Stanislaw Klekot erlang.org@REDACTED
Tue May 31 11:31:25 CEST 2016


On Tue, May 31, 2016 at 10:56:05AM +0200, Sverker Eriksson wrote:
> How heavy duty is this bcrypt?
> Does it take milliseconds to hash one little password?

Password hashes are *designed* to take long time to compute (e.g.
a semi-traditional MD5-based crypt() is MD5 hash applied 1000 times,
each time to the result of previous computation). This is to make
precomputation attacks so much more costly.

Having that said, https://github.com/chef/erlang-bcrypt has its
internals sub-par, as it runs two processes (one for NIF and one for
port driver; why port driver? there's no state to maintain between
calls as far as I'm aware), and NIF is always called in one. This makes
a great example of an unnecessary bottleneck.

-- 
Stanislaw Klekot



More information about the erlang-questions mailing list